Commits on Sep 21, 2024

1. fix: Use Opus in the CBR mode …

   VBR is susceptible to a transcription attack, where words can be
   deducted from bandwidth fluctuations, even despite the audio being
   encrypted. Toxcore does add padding, but it's just 0-7 bytes, to pad to
   a 8 byte boundary, which might not be enough. CBR is safe from this
   attack, it is the industry recommendation to use CBR: "Applications
   conveying highly sensitive unstructured information SHOULD NOT use
   codecs in VBR mode."[1], and is what other secure messengers use too,
   e.g. Signal.
   
   Here are some papers on this topic:
   - A. M. White, A. R. Matthews, K. Z. Snow and F. Monrose, "Phonotactic
     Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks,"
     2011 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2011,
     pp. 3-18, doi: 10.1109/SP.2011.34.
   - L. A. Khan, M. S. Baig, and Amr M. Youssef. Speaker recognition
     from encrypted VoIP communications. Digit. Investig. 7, 1–2 (October,
     2010), 65–73. https://doi.org/10.1016/j.diin.2009.10.001
   - C. V. Wright, L. Ballard, S. E. Coull, F. Monrose and G. M. Masson,
     "Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP
     Conversations," 2008 IEEE Symposium on Security and Privacy (sp 2008),
     Oakland, CA, USA, 2008, pp. 35-49, doi: 10.1109/SP.2008.21.
   
   Thanks to an IRC user who asked to remain anonymous for sending the
   diff.
   
   [1] https://datatracker.ietf.org/doc/html/rfc6562#section-3

   

   nurupo committed Sep 21, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 03e9fbf
   • Browse repository at this point

   Copy the full SHA

   03e9fbf View commit details

   Browse the repository at this point in the history